Skip to content

OSIS-165: cap getCredentials access-denied recovery to a single retry#168

Merged
anurag4DSB merged 1 commit into
mainfrom
bugfix/OSIS-165-cap-getcredentials-recursion-mainport
Jun 29, 2026
Merged

OSIS-165: cap getCredentials access-denied recovery to a single retry#168
anurag4DSB merged 1 commit into
mainfrom
bugfix/OSIS-165-cap-getcredentials-recursion-mainport

Conversation

@anurag4DSB

Copy link
Copy Markdown
Contributor

Intent: why does this change exist?

getCredentials recovers from an access-denied assume-role by provisioning the role and retrying, but it retried by calling itself recursively with no depth limit. A persistently misconfigured Vault role would recurse until the stack overflows.

System impact: what's affected, including downstream?

The assume-role credential path used by all user and S3-credential APIs. Behavior is unchanged on the happy path and on the first recovery; only the unbounded retry is capped.

Preserved behavior: what explicitly stays the same?

On the first access-denied the role is still provisioned via setupAssumeRole and the assume-role is retried; non-access-denied errors still rethrow immediately. Caches, policies, and the order of calls are unchanged.

Intended change: what's different after this PR?

Recovery is capped at a single retry: original attempt, provision once, retry once; if it is still access-denied the VaultServiceException is rethrown instead of recursing. The retry path no longer calls getCredentials, so it cannot loop. A test pins that persistent access-denied throws after exactly one provision and two assume-role attempts.

Verification: how do we know this worked, or how would we know if it didn't?

Ran the full osis-core test module including the JaCoCo gate: green. The new test would fail (or overflow the stack) if the recursion returned.

@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

LGTM — clean fix. The recursive self-call is replaced with a structured try-provision-retry-once pattern. Verified that setupAssumeRole(String, String) is synchronous (only the OsisTenant overload is @async), so the role is set up before the retry. Test correctly pins the call counts. No issues found.

Review by Claude Code

@anurag4DSB anurag4DSB force-pushed the bugfix/OSIS-165-cap-getcredentials-recursion-mainport branch from a7e163a to c31612f Compare June 26, 2026 09:05
@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

LGTM — the recursion-to-flat-retry refactor is clean and correct. The setupAssumeRole(String, String) overload is synchronous (not @Async), so the retry safely follows the role provisioning. Test properly pins the expected call counts.

Review by Claude Code

@anurag4DSB anurag4DSB marked this pull request as ready for review June 26, 2026 10:23
@anurag4DSB anurag4DSB requested a review from a team as a code owner June 26, 2026 10:23
@anurag4DSB anurag4DSB force-pushed the bugfix/OSIS-165-cap-getcredentials-recursion-mainport branch from c31612f to 2b1f702 Compare June 29, 2026 10:51
@anurag4DSB

anurag4DSB commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

no code change, just rebase with origin/main

@anurag4DSB anurag4DSB merged commit 100bc60 into main Jun 29, 2026
7 checks passed
@anurag4DSB anurag4DSB deleted the bugfix/OSIS-165-cap-getcredentials-recursion-mainport branch June 29, 2026 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants